Informationmanagers.ca Logo
PHIPA Administrative Monetary Penalty

PHIPA Administrative Monetary Penalty

 436 Patient Records. One Clerk. A $2,000 Fine. What Your Organization Needs to Know.

PHIPA Decision 334 from the Information and Privacy Commissioner of Ontario is a wake-up call for every health organization.

A hospital clerk spent six months snooping through the personal health information of 436 patients. She lost her job and was personally fined $2,000.

The message is clear: having privacy policies on paper is not enough. Organizations must ensure that staff understand and follow those policies—and be able to prove it. When they cannot, patients lose trust and organizations face increased regulatory scrutiny

Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, organizations, and healthcare or public sector institutions. Let’s break down what happened, what the decision found, and how these lessons apply to privacy and records management programs.

What Happened

A patient services clerk at the Children’s Hospital of Eastern Ontario (CHEO) inappropriately accessed the personal health information (PHI) of 436 patients between March and September 2024. The breach came to light when a nurse contacted CHEO’s Privacy Office with questions about her stepchild’s care. The Privacy Office became concerned about how the nurse appeared to know information she should not have known. An audit revealed that a clerk working in the same unit had accessed the child’s record without authorization.

A broader investigation showed that the clerk had accessed:

  • Her own health record
  • Family members’ records
  • Hundreds of other patient records

The information viewed included demographic details, appointment histories, clinical notes, test results, and referral information.

Managing the Breach

We can analyze the hospitals and clinic’s response using the 4-Step Response Plan.

Step 1 – Spot and Stop

The first step is to recognize that a privacy breach has occurred and immediately stop further unauthorized access.

A privacy breach occurs when personal health information is lost, accessed, used, disclosed, or destroyed without authorization.

In this case, CHEO’s Privacy Office received a tip on September 10, 2024, when a nurse raised concerns about her stepchild’s health information.

Step 2 – Investigate

CHEO acted quickly:

  • Conducted an initial audit
  • Placed the clerk on administrative leave
  • Revoked access to the electronic health record system
  • Expanded the audit to six months of activity
  • Conducted formal interviews and justification exercises

The investigation confirmed that the clerk had accessed 436 patient records without authorization.

There was no evidence that she copied, disclosed, or financially benefited from the information.

Remember: Simply viewing a patient record without a legitimate need to know is a privacy breach.

CHEO also confirmed that the clerk had completed initial privacy training and had signed a confidentiality agreement upon hire and a renewal in January 2023.

Step 3 – Notify

When a privacy breach occurs, the right people must be informed promptly.

Internally, notify your Privacy Officer and Custodian immediately.

CHEO reported the breach to the Ontario IPC on October 15, 2024.

CHEO initially notified 189 affected patients by mail. After a more extensive audit identified additional affected individuals, the hospital sent a further 107 notification letters in April 2025. Where current addresses were unavailable, notification letters were added to patient files for delivery at the next visit.

Step 4 – Prevent the Breach from Happening Again

After containing the incident, organizations must take steps to reduce the likelihood of recurrence.

CHEO:

  • Implemented their progressive discipline process.
  • Terminated the clerk’s employment on October 24, 2024.
  • Conducted proactive audits twice monthly for six months.
  • Implemented a comprehensive staff re-training initiative.
  • Reinforced the importance of appropriate access and confidentiality.

Commissioner’s Investigation

The Ontario IPC reviewed the incident and imposed Ontario’s second Administrative Monetary Penalty (AMP) under PHIPA.

An AMP is a financial penalty that the IPC can impose without commencing a court prosecution. The purpose is to encourage compliance and ensure that individuals or organizations do not benefit from privacy violations.

Under the PHIPA AMP regulations:

  • Individuals may be fined up to $50,000
  • Organizations may be fined up to $500,000

In this case, the clerk was ordered to pay $2,000 personally.

CHEO was not fined, but the Commissioner issued two formal recommendations to improve the organization’s ability to monitor, track, and document:

  • Annual privacy training completion
  • Annual confidentiality agreement renewals

 

Demonstrable Accountability

One of the most important lessons from this decision is the concept of demonstrable accountability.

It is not enough to say that staff are trained and confidentiality agreements are renewed annually.

You must be able to prove it.

In this case, CHEO had strong privacy policies and procedures, but it could not produce documented evidence that the employee had completed her 2024 privacy training or re-signed confidentiality agreements in 2023 and 2024.

The Commissioner summarized this principle clearly:

Organizations must “say what they will do, and then do what they say.”

Take-Aways

✅ A privacy breach can start with one suspicious question–train staff to pay attention and speak up.

✅ Having privacy policies is not enough; you must be able to prove your staff are following them.

✅ Track and document annual privacy training and confidentiality agreement renewals for every single staff member.

✅ Curiosity snooping is a serious breach, even when there is no intention to disclose the information.

✅ Simply viewing a patient record without a legitimate need to know is a privacy breach.

Call to action

Want to strengthen your privacy breach response and accountability program?

Join Kayla Das and Jean L. Eaton for our How to Manage a Privacy Breach in Your Canadian Practice Workshop, where we provide practical tools, templates, and training to help your organization respond confidently to privacy incidents and demonstrate compliance.

Reference

Information and Privacy Commissioner of Ontario. PHIPA Decision 334. April 23, 2026. https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/522336/1/document.do

Privacy Breach Nugget: When Patient “Success Stories” Become a Privacy Breach

Privacy Breach Nugget: When Patient “Success Stories” Become a Privacy Breach

When Patient “Success Stories” Become a Privacy Breach

Privacy Breach Nugget

Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s unpack today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.

What Happened

Cadia Healthcare Facilities, which is a rehabilitation, skilled nursing, and long-term care services provider with 5 locations located in Delaware, US.

Cadia posted patient names, photographs, and detailed health information on its public-facing website as part of a marketing campaign featuring patient “success stories.” These disclosures were made without obtaining valid written authorization from the patients whose information appeared on the website.

4 Step Privacy Breach Response

Cadia’s management of the privacy breach can be examined using the 4 Step Response Plan framework.

Step 1 – Spot and Stop

Cadia had procedures that required employees to obtain a written consent from patients before sharing their testimonials. Despite this, the Office of Civil Rights (OCR) received a complaint in September 2021 alleging that patient information had been disclosed without authorization.

OCR’s investigation ultimately confirmed that the protected health information (PHI) of 150 patients had been disclosed without proper authorization. Cadia was formally notified of these findings in February 2022.

Step 2 – Investigate

Cadia conducted an internal investigation and on March 2022 removed all the success stories from their social media and website and ended the marketing campaign.

However, during this process, the organization deleted the content before confirming which patients had valid written consent on file, making it more difficult to accurately determine the full scope of unauthorized disclosures.

Step 3 – Notify

Cadia initially failed to notify affected patients of the privacy breach, as required. Notification obligations were later addressed as part of the enforcement process. A public notice regarding the breach can now be found on the Cadia website.

Step 4 – Prevent the Breach from Happening Again

According to the OCR settlement details:

  • Cadia agreed to pay a $182,000 USD penalty
  • A Corrective Action Plan (CAP) was imposed, including two years of OCR monitoring and reporting
  • Cadia failed to properly implement its existing administrative privacy policies
  • Cadia is required to:
    • Revise its privacy policies and procedures
    • Provide privacy training to all staff, including marketing personnel
    • Implement stronger authorization processes before using patient information for marketing
  • Cadia must now notify all affected individuals whose PHI was disclosed without authorization

 

Website and Social Media Tips

Custodians are responsible for ensuring that patients’ health information is collected, used, and disclosed in compliance with health privacy legislation, such as Alberta’s Health Information Act (HIA) and Ontario’s Personal Health Information Protection Act (PHIPA).

It’s also important to ensure your practices align with professional college standards related to advertising, professionalism, and confidentiality.

Here are key questions to include in your website and social media compliance checklist before collecting or using patient testimonials:

  • What is your clinic’s approval process before content is posted online?
  • Has the patient provided written consent for their information to be used?
    • If a photograph is included, does the consent explicitly authorize the use of images?
  • Who authorizes the content before it is published?
    • For example: the healthcare provider, lead custodian, social media lead, or privacy officer?
  • Before posting, has the content been reviewed for compliance with:
    • Health privacy legislation?
    • Professional college standards?
  • Does your marketing vendor understand your privacy obligations?
    • Do you have a written agreement in place requiring the vendor to protect the confidentiality of personal health information?

Also See

Is your website secure? Take the Website Self-Assessment from Elevated Business Solutions.

Do you have a website for your healthcare practice in Ontario? PHIPA Website Guide from Elevated Business Solutions will help you.

Take-Aways

The Cadia case is a reminder that policies alone are not enough. Clinics must ensure that privacy requirements are understood, followed in practice, and applied consistently across all teams, including marketing and external vendors. Taking the time to review your website and social media practices now can help prevent a costly and public privacy breach later.

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA

References

Cadia Healthcare Facilities. Notice of Success Story Incident. https://cadiahealthcare.com/wp-content/uploads/2025/06/Cadia_Notice-1.pdf

Health and Human Services. HHS’ Office for Civil Rights Settles HIPAA Investigation of Cadia Healthcare Facilities for Disclosure of Patients’ Protected Health Information. 2025Sept30. https://www.hhs.gov/press-room/ocr-settles-hipaa-with-cadia-healthcare-facilities.html

Help Me With HIPAA. Did Anyone Even Ask If It Was OK? – Ep 531 podcast. 2025Oct17 https://helpmewithhipaa.com/did-anyone-even-ask-if-it-was-ok-ep-531

Privacy Breach Nugget: Why Documentation Matters in Privacy Breach Investigations

Privacy Breach Nugget: Why Documentation Matters in Privacy Breach Investigations

Investigation Tips Following the NWT Health Authority Incident

When employees make mistakes that result in a privacy breach, the custodian is held responsible to ensure that appropriate investigations are performed. This includes appropriate documentation of the privacy breach incident and sanctions when indicated.

The NWT Information and Privacy Commissioner (IPC) opened an investigation into the Northwest Territories Health and Social Services Authority (NTHSSA) after a reported privacy breach in 2024. This review aimed to assess whether the health authority had adequate safeguards in place to investigate and prevent similar future incidents.

Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into what went wrong, what worked, and how you can apply these insights to strengthen your privacy program.

What Happened

In April 2024, a patient filed a complaint with the nurse-in-charge at a health centre in the Northwest Territories. The complaint alleged that a clerk had inappropriately shared the patient’s personal health information with a family member during a casual conversation.

The nurse-in-charge apologized to the patient and escalated the issue to the regional manager. The clerk denied disclosing the health information, but the health authority concluded the incident had indeed occurred.

The Commissioner emphasized that there was no ill intent, stating:

“The interaction between the clerk and the sister was spontaneous and indicates a simple lapse in judgment.”

Managing the Breach

The NTHSSA’s management of the privacy breach can be examined using the 4 Step Response Plan.

Step 1 – Spot and Stop

The privacy breach was identified by the patient and reported to the nurse in charge and escalated to the regional manager.

Step 2 – Investigate

An investigation was initiated. While the clerk denied the allegation, the health authority determined a breach had occurred.

However, the Commissioner noted a serious concern: the investigation was poorly documented. If notes were taken, they could not be located or produced during the review.

Step 3 – Notify

The patient and NTHSSA (the custodian) was aware of the breach. No further notification was required.

Step 4 – Prevent the Breach from Happening Again

The health authority directed the clerk to:

  • Complete updated privacy training
  • Review the oath of office
  • Review patient confidentiality policies

No further disciplinary action was taken.

Commissioner’s Investigation

The IPC made several key recommendations:

  • Equip investigators: Ensure staff who investigate privacy breaches are properly trained and supported to conduct effective, timely, and well-documented investigations.
  • Enforce sanctions: Ensure managers understand the range of disciplinary options available and are aware of their obligation to apply reasonable disciplinary measures when warranted.
  • Annual privacy training: Reinforce the Mandatory Training Policy by ensuring all employees complete refresher privacy training every year.
  • Use real examples: Incorporate this privacy breach as a case study in future privacy training to help employees understand their obligations—at work and outside of work.

Take-Aways

Annual privacy training is not enough.

Training must include real-world, job-relevant examples and emphasize how privacy rules apply in everyday situations.

When employees make mistakes, it’s the custodian’s responsibility to lead an appropriate and well-documented investigation—not just revisit outdated training.

A strong privacy culture includes tools, training, and clarity. Equip your investigators, privacy officers, and managers with the skills they need to respond appropriately.

For more on how to manage privacy-related employee errors, listen to the podcast:

Managing Employees When They Make Mistakes – Episode #105

Need Help Training Your Privacy Team?

Ask me about Practical Privacy Officer Strategies training to strengthen your internal investigation process and build a more resilient workplace.

Reference

NWT IPC File Number: 24-950-6 on April 4, 2025Northwest Territories Health and Social Services Authority (Re), 2025 NTIPC 97 (CanLII), <https://canlii.ca/t/kc0s6>, retrieved on 2025-06-09

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA

Why You Need Policies and Procedures

Why You Need Policies and Procedures

 

Why You Need Health Information Policies and Procedures

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

  • Information that you collect from patients/clients
  • Website
  • Email
  • Business practices including electronic (or paper) patient records, and computer network
  • Financial information
  • Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

  • They contribute to consistent, efficient workflow.
  • You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
  • They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
  • They help support your accreditation efforts.
  • On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

  • Internal disputes within your team and external disputes with your patients and clients
  • Re-work and re-training employees
  • Poor customer service
  • Poor reputation
  • Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

You might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the physician, pharmacist, dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

  1. It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier.

  1. It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

  1. It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

  • Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
  • The policies and procedures become the foundation of your privacy impact assessment.
  • Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
  • You must have them as part of your legislative compliance.
  • It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

 

Not Sure Which Policies and Procedures That You Need?

Show Me Policy And Procedure Checklist
 

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are? 

Privacy Impact Assessments (PIA)

Policy and Procedure Checklist book image
Privacy Principles Applies After Death

Privacy Principles Applies After Death

 

Privacy Principles Applies After Death

Are your staff looking at medical records when they shouldn’t be?

Many people have the mistaken impression they can look at a patient’s medical records as long as they don’t tell anyone else.

It’s not okay.

We continue to see examples of snooping where both seasoned and new healthcare providers and support staff don’t realize that looking at patient’s health information—even with good intentions—is a serious privacy violation.

As privacy lawyer Kate Dewhirst puts it

  • Privacy = Don’t look
  • Confidentiality = Don’t tell

Despite years of experience, many healthcare professionals still need a refresher on the basics. Privacy awareness training remains essential.

In this article, I am sharing an example of the Ontario’s Information Privacy Commissioner (IPC). This case involves a privacy complaint submitted by the family of a deceased individual. It’s a good reminder that whether you’re running a brand-new clinic or managing an established practice, it’s critical to understand your legal responsibilities and have systems in place to protect patient information.

What Happened

In 2014, a physician accessed a deceased patient’s health records while acting in his role as a coroner. The patient was also a family member. Soon after, the family alleged that the physician continued to access the individual’s personal health information (PHI) contrary to Ontario’s Personal Health Information Protection Act (PHIPA).

The family submitted a complaint to the hospital. Initially, the hospital’s response did not satisfy the family. The family filed a complaint to the Information and Privacy Commissioner (IPC) of Ontario.

The IPC started a complaint investigation.

privacy principles after death privacy breach incident scenario diagram

Privacy Complaint Investigation

Under PHIPA, the hospital is a health information custodian and the physician is an agent of the hospital.

During the IPC investigation, the physician admitted he “accessed the health information in response to his concern about the individual’s well-being.”

“I know now that proceeding in this way was misguided and wrong.” He would never disclose the information to anyone; that would be a violation of patient privacy and a breach of doctor – patient confidentiality.

He acknowledged he misunderstood the difference between:

• Privacy: The general right of every individual (living or deceased) to limit access to their health information.
• Confidentiality: The duty to not share that information once accessed.
• Circle of care / Need to know: You must only access information required to provide care at that moment.

4 Step Response Plan

When you have a privacy breach, follow these four steps to manage the privacy breach incident.

Step 1 – Spot and Stop the Breach

The family’s complaint prompted the hospital to begin the first step to spot and stop the breach.

Step 2 – Evaluate the Risks

An initial risk assessment was conducted, and after the IPC got involved, the hospital re-opened the investigation. They completed a comprehensive review and used audit log reporting tools to trace access.

Step 3 – Notify

The hospital eventually informed the family of the privacy breach—but the notification wasn’t timely. A more thorough and timely response could have helped address the family’s concerns more effectively.

Step 4 – Prevent the Breach From Happening Again

Following the breach, the hospital implemented several improvements:

  • Introduced a new auditing program that enhances its ability to detect unauthorized access.
  • Updated its Privacy and Confidentiality Policy, which applies to all agents of the hospital.
  • Launched mandatory annual electronic privacy training program for all staff, volunteers and learners. Physicians must complete this training as part of the annual reappointment process.
  • Strengthened the privacy warning on its electronic system, which warns users that unauthorized use of personal health information may result in disciplinary action.

privacy principles after death sanctions

The hospital’s Medical Advisory Committee also recommended disciplinary actions:

  • A three-month suspension of the physician’s hospital privileges
  • Three years of enhanced monitoring of his access to patient records
  • A requirement to present at Grand Rounds on privacy topics upon his return

The IPC concluded that the disciplinary consequences for the physician were sufficient in the circumstances.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. Here’s how you can be proactive to prevent privacy breach pain.

  • Go beyond policies—model good practices
  • Use real-life examples in staff meetings
  • Incorporate gamification and ongoing discussions to engage your team

Privacy awareness is everyone’s responsibility. Make sure your staff know what’s expected, what’s at risk, and what to do if something goes wrong.

If you need to start or update your privacy awareness training program, check out the on-line education Privacy Awareness in Healthcare: Essentials.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget’ to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

References and Resources

Dewhirst, Kate. After Death: Who Can Access The Records Of A Patient After Death? May 7, 2019. https://katedewhirst.com/blog/2019/05/07/after-death-who-can-access-the-records-of-a-patient-after-death/

Ontario Information and Privacy Commissioner IPC Investigation Report PHIPA DECISION 74 HC15-4 Sault Area Hospital August 10, 2018.